CLI Overview

The Vault CLI (pwm) brings password management to your terminal with Touch ID support, secret injection, and scriptable output.

Installation

# Clone and build
git clone https://github.com/zeroexcore/vault.git
cd vault
pnpm install
pnpm build
 
# Link globally
cd packages/cli
pnpm link --global
 
# Verify installation
pwm --version

Quick Start

# 1. Login (opens browser for passkey)
pwm auth login you@example.com
 
# 2. List your entries
pwm entry list
 
# 3. Get a password
pwm entry get github --copy
 
# 4. Generate a new password
pwm generate --strength

Command Reference

Authentication

pwm auth login <email>   # Login via browser passkey
pwm auth logout          # Clear session
pwm auth status          # Check login status

Entries

# List and search
pwm entry list                      # List all entries
pwm entry list --search github      # Search by name/username
pwm entry list --tag work           # Filter by tag
pwm entry list --type card          # Filter by type
pwm entry list --favorites          # Show favorites only
pwm entry list --recent 7           # Last 7 days
 
# CRUD operations
pwm entry add                       # Interactive add
pwm entry get <query>               # Get entry details
pwm entry get <query> --show        # Show password
pwm entry get <query> --copy        # Copy password
pwm entry edit <query>              # Edit entry
pwm entry delete <query>            # Delete entry
 
# Import/Export
pwm entry import <file>             # Import from CSV
pwm entry export                    # Export to JSON
pwm entry export --format env       # Export as .env

Password Generator

# Passwords
pwm generate                        # 20 char password
pwm generate --length 32            # Custom length
pwm generate --no-symbols           # Alphanumeric only
pwm generate --strength             # Show strength meter
pwm generate --copy                 # Copy to clipboard
 
# Passphrases
pwm generate --passphrase           # 4 word passphrase
pwm generate --passphrase --words 6 # More words
pwm generate --passphrase -s "-"    # Custom separator

Vault Sharing

pwm share setup                     # Initialize sharing keys
pwm share create <email>            # Invite user
pwm share create <email> -r admin   # With admin role
pwm share pending                   # View invitations
pwm share accept <id>               # Accept invitation
pwm share members                   # List vault members
pwm share remove <email>            # Revoke access

Secret Injection

pwm use <vault> <command>           # Run with secrets
pwm use default npm start           # Inject all secrets
pwm use prod --tag aws npm deploy   # Filter by tag
pwm use dev --dry-run echo test     # Preview mode

Features

🔐 Touch ID (macOS)

The CLI supports Touch ID for vault access. On first use, you'll set up a master password that's stored in your macOS Keychain.

# Touch ID prompt appears automatically
pwm entry list
 
# Fallback to password if needed
pwm entry list --password

Learn more about Touch ID setup →

🔑 Multi-Vault Support

Work with multiple vaults using the -v flag:

# Default vault
pwm entry list
 
# Named vault
pwm entry list -v work
pwm entry add --vault personal
pwm share members -v team

📤 JSON Output

Get machine-readable output for scripting:

# List as JSON
pwm entry list --json
 
# Get entry as JSON
pwm entry get github --json
 
# Pipe to jq
pwm entry list --json | jq '.[].name'

🎬 Demo Mode

Record CLI demos without real auth:

export PWM_DEMO_MODE=true
pwm entry list  # Uses mock data

Learn about terminal recordings →

Aliases

Common commands have short aliases:

Full Command	Alias	Example
`pwm entry list`	`pwm e ls`	`pwm e ls -t work`
`pwm entry add`	`pwm e a`	`pwm e a -v personal`
`pwm entry get`	`pwm e g`	`pwm e g github -c`
`pwm generate`	`pwm g`	`pwm g -l 24`
`pwm share`	`pwm s`	`pwm s members`

Examples

Daily Workflow

# Morning: check what's in your vault
pwm entry list --favorites
 
# Get AWS credentials
pwm entry get aws --copy
 
# Generate a new API key
pwm generate --length 32 --no-symbols --copy

CI/CD Integration

# Run tests with database credentials
pwm use staging npm test
 
# Deploy with production secrets
pwm use production --tag deploy ./deploy.sh
 
# Export secrets to .env file
pwm entry export --format env --tag aws > .env

Team Sharing

# Share work vault with new teammate
pwm share setup  # One-time setup
pwm share create alice@company.com -v work -r write
 
# Check who has access
pwm share members -v work
 
# Remove departed employee
pwm share remove bob@company.com -v work

Next Steps

Authentication Guide - Browser delegation and session management
Entry Commands - Complete CRUD documentation
Password Generator - All generation options
Secret Injection - Environment variable injection
Touch ID Setup - macOS biometric configuration